Keycloak Admin REST API Improper Access Control Vulnerability Allowing Sensitive Role Metadata Disclosure

Vulnerability

A vulnerability exists in the Keycloak Admin REST API due to improper access control on the roles endpoint within the admin realms. This flaw allows remote authenticated attackers with high privileges to access sensitive role metadata, including names, IDs, and internal identifiers of administrator-created roles. The unauthorized disclosure of this information could be exploited to map privilege structures and plan targeted privilege escalation attempts, thereby impacting the confidentiality of Keycloak deployments.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of sensitive role metadata, which could be used to map privilege structures and plan targeted privilege escalation attempts within Keycloak.

Added: Dec 10, 2025, 9:19 AM

Updated: Dec 10, 2025, 9:19 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.0

remediation

0.0

relevance

1.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.0

remediation

0.0

relevance

1.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak Admin REST API Improper Access Control Vulnerability Allowing Sensitive Role Metadata Disclosure

Vulnerability

Impact

Affected Products

Red Hat Keycloak Admin REST API

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating